The holidays can be a magical time. From Thanksgiving through December each year, there are more reasons to meet friends and family for cocktails or cozy nights in, share time-tested recipes, or tune into any great number of holiday flicks (Love, Actually, Die Hard, The Ref – choose your adventure). And whether you do it online or in-person, there’s shopping, shopping, and more shopping.
Unfortunately, though, the holidays can be magical for threat actors, too.
With so many of us stepping away from our day-to-day responsibilities, CIOs and CISOs must ask themselves, “Who's minding the store?” And if it’s not immediately obvious, ‘the store’ in this metaphor is your IT environment.
The most wonderful time of the year… for cyber attackers
Generally, the holidays mean many desks are empty. Computer systems are often unattended and security operations centers are short-staffed with fewer eyes on the storefront. The result? Businesses and organizations are more vulnerable to cyberattacks.
Additionally, 2022 witnessed mass layoffs, leaving companies short-staffed. Compound that with an infosec talent shortage and the usual stress and burnout, and you’ve got a recipe for oversight and human error.
In a study conducted by Cybereason, a whopping 70% of respondents actually admitted to having been intoxicated when responding to a ransomware incident over the holidays. But a cyberattack probably isn’t the best time to test your Ballmer peak.
Of course, malware attacks are rampant year-round, but they increase significantly over the holiday season. In fact, according to Cisco’s 2021 Cybersecurity Threat Trends report, phishing attacks historically spike around holiday times, reporting a peak of 52% in December. Additionally, lucrative malware campaigns like ransomware show no signs of slowing down.
Also in 2021, Darktrace reported a 30% increase globally in the average number of attempted ransomware attacks over the holiday season from 2018 to 2020 compared to the monthly average, and a 70% increase in attempted ransomware attacks in November and December compared to January and February.
Companies suffering from a ransomware outbreak could suffer extreme losses in revenue from downtime, crippled operations, and possibly even fatal consequences in the healthcare vertical.
Clearly, the holidays have a very different meaning if you’re a cybercriminal or hacking group – mainly, this time of year equals opportunity.
Common cybersecurity threats during the holidays
A common approach cyber criminals use to discover who to attack is through "out-of-office" automatic email responses. They may start with a "spray and pray approach," sending out thousands of emails en masse and then parsing the rich information of the out-of-office message. These messages may indicate the following data points:
Who is on PTO
When staff will return
Staff phone numbers
That's a treasure trove of information for hackers.
Plus, there are additional cybersecurity and safety issues to keep in mind having to do with – you guessed it – human behavior.
With the onset of the holiday season, many of us have increased our online activities: booking flights, shopping for gifts, etc. Though these activities are not innately malicious, they give additional fodder to cybercriminals looking to social engineer end users to click and download their malicious payloads.
A prime example? You’re likely expecting packages or messages from relatives. So an attacker could easily create spear-phishing emails to emulate a FedEx or UPS package tracking number or mass-sent holiday "greeting cards."
During such a busy shopping season, it’s likely more people click on email links or promotional discount ads. As a result, there’s usually a large spike in email phishing over the holidays.
A look at recent holiday cyberattacks - 2022
Here are just a few recent examples of major attacks that occurred during or close to a holiday:
Over the New Year, Bernalillo County, Albuquerque, New Mexico closed down government buildings following a ransomware attack. The attack actually left a jail blind to its camera feeds and rendered its automatic door mechanisms fail close, leaving inmates in lockdown.
From December 2021 to January 2022, the Maryland Department of Health was hit with a crippling ransomware attack, leaving its hospitals in chaos amid a surge of COVID-19 cases. MDoH confirmed that health officials had to calculate the COVID-19 statistics by hand and could not release death certificates for weeks.
The San Francisco 49ers’ made headlines for the wrong reasons during Super Bowl weekend when they were hit by ransomware. The BlackByte ransomware-as-a-service (RaaS) group claimed to have exfiltrated data with an estimated value of $4.175 billion.
Lapsus$ topped headlines multiple times this year, compromising Claro on Christmas Eve of 2021 and Impresa on New Year’s Day, 2022, and rounding out the year with tech giant Microsoft and SSO provider Okta.
Around Thanksgiving, Swedish retail giant Ikea confirmed an attack at the hands of the Vice Society hacking group.
Cybersecurity best practices for holidays and weekends
Last year, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint ransomware awareness advisory specific to looming holiday threats.
While CISA and the FBI don’t currently have specific threat reporting indicating a cyberattack will occur over the upcoming holidays, they did prepare a list of best practices for orgs to help address the risk posed by all cyber threats, including ransomware.
The list is extensive, so we reviewed it and pulled out highlights to prioritize as you prep for the holidays:
Schedule security employees to be "on call" during holidays
Educate end users throughout the year, but especially during the holidays, to not click on suspicious links or fall to social engineering tactics via spear phishing attempts
Provide generic out-of-office messages for external recipients, or restrict automatic responses to internal contacts, if possible
Make and maintain offline, encrypted backups of data and regularly test backups
Raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments
Limit access to resources over internal networks, especially by restricting remote desktop protocols (RDP) and using virtual desktop infrastructure
Review the security posture of third-party vendors and those interconnected with your organization
Replace software and operating systems that are EOL/EOS to currently supported versions
Regularly patch and update software to the latest available versions
Use a centralized and automated patch management system
Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices
Ensure strong passwords that are not reused across multiple accounts or stored on a system where an adversary may have access
Implement multi-factor authentication (MFA) for all services, particularly for remote access, VPNs, and accounts that access critical systems
Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties
Continuously and actively monitor for ransomware threats over holidays and weekends.
BONUS: A few personal cybersecurity hygiene tips
Be wary of the too-good-to-be-true and the “your package has arrived” emails, especially if you do not recall ordering anything from a certain vendor or person.
Do not reuse passwords. If an attacker compromises one account, they’ll attempt to access other accounts with the same credentials.
Do not overshare your personal information on social media. You’d be surprised how often people provide their exact locations, itineraries, etc on a public forum.
Do not click on tracking number links for unexpected emails. Simply hover over the link to see where it directs. It is easy to go on autopilot and click all package links during the holidays.
A good rule of thumb is never to give out any information on inbound communications. When in doubt, reach out to the company/service/vendor directly via a verified phone number, online chat, or email on their website.
Trust your gut; if it seems weird, it probably is.
When possible, always enable 2-factor authentication on all your accounts. Even if an attacker gains access to your account credentials, you will have an additional layer of security.
Don't leave your devices unlocked when you have company over. Kids (and pets) are curious creatures.
For more intel, review these resources to prepare for a safer holiday season:
By following the cybersecurity best practices from the FBI and CISA and digging into the additional resources provided here, you can reduce your risk of exposure and feel just a little bit better about taking that well-deserved time off.
Start your free trial now.
Get started with Automox in no time.
Initiating your account, please be patient...